Security Auditing Question
Results 1 to 10 of 10

Thread: Security Auditing Question

  1. #1
    Member
    Join Date
    May 2002
    Posts
    61

    Security Auditing Question

    For my Applied Information Systems Security class, one of our project options is to audit a company's systems. Since my future father-in-law runs a lumber yard, I am taking that option. Here is a link to the project description. It is option number 3.

    My question is, how can I find out what's legal? We have already signed a contract giving us permission to audit the system in just about any way we want, but what is going "too far"? Thanks!

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    371
    I think that if you have the permission of the owners of the infrasturucture you can basically go to town!! But just be sure that you dont DOS any of their machines.

    Before you start, get a good undestanding of their environment

    Use tools carefully such as Nikto (or Whisker) and test the strength of their webiste, and use Nessus (again, carefully) to test the security of the hosts on the internal network.

    You will also want to take care in handling your results. Maybe encrypt all of your documentation with PGP or similiar just in case they fall into the wrong hands! Also any confidential information you gather that wont or shouldnt be included in your report should be adequetely destroyed.

    Remember....Rule number 1 in the real world is to cover your own arse

    Nessus gives you some damn fine results and suggestions to fix them.
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  3. #3
    Member
    Join Date
    May 2002
    Posts
    61
    Good call. We put a non-disclosure clause in the contract. We will be doing a full physical survey of the location, to determine things like A/V software, physical access to machines, firewall, etc.

    But would something like trojaning a user's PC in order to gain access to server passwords be too much? Not that I am considering that, but I am afraid of going too far...

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    But would something like trojaning a user's PC in order to gain access to server passwords be too much? Not that I am considering that, but I am afraid of going too far...
    You don't want to open them up any vulnerabilities or holes in the security, rather try to close or report potiential holes. Depending on what they give you access too... you don't need a trojan to gain access to their password DB. Just tell them in order to audit you need to test their password policies and point out potiential weaknesses.

    security audit: Of data processing operations, an independent review and examination of system records and activities to (a) determine the adequacy of system controls, (b) ensure compliance with established security policy and operational procedures, (c) detect breaches in security, and (d) recommend any indicated changes in any of the foregoing.
    http://www.atis.org/tg2k/_security_audit.html

    Vulnerability scanners and review of their policies may be the best bet to start with.

    NOTE: I've never actaully perfomed a secuirty audit... but I remember reading a nice paper on auditing security on securityfocus. You might want to take a good look at it.

    http://securityfocus.com/infocus/1697

    You are not trying to "crack" into their network per say... just trying to find ways that it could be done and then trying to prevent someone else from doing just that.

  5. #5
    Member
    Join Date
    May 2002
    Posts
    61
    Originally posted here by phishphreek80


    You don't want to open them up any vulnerabilities or holes in the security, rather try to close or report potiential holes. Depending on what they give you access too... you don't need a trojan to gain access to their password DB. Just tell them in order to audit you need to test their password policies and point out potiential weaknesses...
    So like testing their passwords via john the ripper or similar methods?

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    it might be nice if you appeared professional and started off by checking for service packs, hot fixs, services running, password policy, permissions...things like that then work your way up. if you waltz in and start cracking password (excuse me...testing password strength) and scanning for vulns your going to be seen as anything but pro
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  7. #7
    Member
    Join Date
    May 2002
    Posts
    61
    Originally posted here by Tedob1
    it might be nice if you appeared professional and started off by checking for service packs, hot fixs, services running, password policy, permissions...things like that then work your way up. if you waltz in and start cracking password (excuse me...testing password strength) and scanning for vulns your going to be seen as anything but pro
    lol. You are right; we are not just going to start off with nmap and a copy of the latest MS DCOM exploit.

    We are being graded on this, and it would not reflect highly on us if we didn't examine their policies before attempting any kind of vulnerability mapping. I know that an audit is not simply trying to crack some servers.

    Thanks for all the replies; keep 'em coming!

  8. #8
    Senior Member
    Join Date
    Aug 2002
    Posts
    239
    Do you have permission to scan within the network, or does it have to be a remote scan?

    If you can perform the audit at a local level (or even remotely), I would definetely give eEye's Retina a try. You can grab the trial with most features at http://www.eeye.com/html/Products/Retina/

    Retina keeps an updated list of new vulns, so I imagine it would be very useful in your case!

    Good luck
    It\'s 106 miles to Chicago, we\'ve got a full tank of gas, half a pack of cigarettes, it\'s dark and we\'re wearing sunglasses.

    Hit it!

  9. #9
    Member
    Join Date
    May 2002
    Posts
    61
    Originally posted here by Showtime8000
    Do you have permission to scan within the network, or does it have to be a remote scan?

    If you can perform the audit at a local level (or even remotely), I would definetely give eEye's Retina a try. You can grab the trial with most features at http://www.eeye.com/html/Products/Retina/

    Retina keeps an updated list of new vulns, so I imagine it would be very useful in your case!

    Good luck
    We can do both remote and local. I'll check Retina out!

  10. #10
    Senior Member
    Join Date
    Jan 2002
    Posts
    371
    You might also want to assess the "less fun" security aspects of the company.

    As already previously stated, check out the companies security policies/standards/procedural documets etc...

    I also think that the users security awareness plays a big part, and possibly the hardest to address. Look to see if users lock their PC's, put password on their monitors etc..
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •